This Dangerous New World: Web Development Through the Prism of Security Testing

Let's connect

Thank you! We'll get in touch soon

«I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image.» — Stephen Hawking

In the modern world, countless things depend on the internet — various forms of communication, financial services, entertainment, and countless other things. However, the constant growth of the web continues to create cybersecurity risk for businesses as well as individuals.

When was the last time you consciously thought about your safety on the web? Stop for a second and think about all the information you send over the internet, including private messages, bank account credentials, and personal photographs. For better or worse, the way we use the internet means we’re all regularly at risk. Given that reality, it’s important to learn what you can about securing your safety in the online spaces that have become such an integral part of our lives. By looking at cybersecurity risk through the prism of security testing in the web development process, we can make it much more difficult for cybercriminals to attack.

Cybercrime has become one of the most advanced types of criminal behavior. This was made possible due to two primary factors: first, each and every business now has its own website; second, cybercriminals are able to maintain their anonymity, thereby evading punishment for their actions.

What’s the potential impact of a cyberattack?

If a hacker selects a specific company’s corporate website as a target, that company may end up going into bankruptcy. Do you want to know why and how it works? Let’s look a bit more closely at the possible consequences of such an experience. These consequences come in two main buckets:

Reputational

Financial

With reputational damage, the company may lose a big portion of its customers and partners. With financial losses, the company will lose a lot of money. Hilariously, it would be really great if the money lost was limited only to the company’s own money — because if the company can’t protect its customers’ money, it will face both reputational and financial losses. Undoubtedly, in some cases, these types of hacker attacks may result in the total annihilation of the service (both the website and the company). In particular, this tends to happen when hackers manage to steal information that is protected and regulated by personal data protection laws.

Is my website vulnerable to a cyberattack?

If we look yet more closely, we can divide all the internet’s websites into three main categories:

Those that have already been hacked.

Those that haven’t been hacked yet.

Those that were developed in accordance with a clear understanding of the main types of hacker attacks and the ways you can prevent or protect your website from them.

If your website is in the first or second category, you’ll benefit greatly from learning about the main types of attacks that can be used on web applications and useful tips about preventing and protecting yourself from such attacks. As everyone knows, forewarned is forearmed.

What are the most common types of cyberattacks?

A web application consists of a client-side (client), a server, and a database. These components are used to exchange various types of information, sending requests and receiving responses. During the past several years, the majority of cyberattacks have targeted the client and the database.

The vast majority of client attacks are performed using cross-site scripting (XSS), while SQL injections (SQLi) are used in the majority of database attacks. Research from the the Open Web Application Security Project (OWASP), shown below, only confirms these findings.

According to OWASP, such vulnerabilities are included in the top three main safety concerns for web applications. As you can see in the list above, problems such as «broken authentication» and «session management» are also included in the top three. So we’ll be covering those problems, too.

How are SQL injections used to perform an attack?

It’s obvious that a web application itself contains no important information. Its job is to send requests to the database in order to retrieve required data by using special Structured Query Language, or SQL.

Via the request, the web application is able to add, get, change, or delete the data (e.g., when users edit their profiles on the website). If there’s no security barrier between the application and the data received from the user, the criminal hacker may use a web form of the interface to embed code that contains a part of the SQL request. This code is an SQL injection.

During the past 10 years, the SQL injection vulnerability remains the most dangerous and the most popular. The main danger of this vulnerability is the fact that the malefactor can get access to the database and read, change, or delete important commercial — or even confidential — information.

For example, by using an SQL injection to the profile editing form, the hacker can not only change users’ names, but also edit available balances, check the amounts remaining in other accounts, or even steal information considered commercial secrets.

This type of vulnerability appears as a result of improperly setting the web form data checking system. As a result, the cybercriminal is able to «feed» the form with previously created requests that will go through the web application, allowing the reading or writing of required data and information.

In general, these attacks are called validation errors. They include not only SQL injections, but also several other types of attacks.

How can I protect my website from SQL injections?

To protect your web application from SQL injections, you need to follow two simple rules:

All information must be transmitted to the request through a «representative» (i.e., a function or a value expression).

All keywords and identifiers entered by the user must be compared with the whitelist included in the code. (Whitelists list out the allowed, trusted options.)

What happens in broken authentication and session management?

To allow the server to identify users, each successfully authenticated user is assigned a session ID. This identifier is used during any subsequent connections between the server and the client. The session ID is stored in session cookies on the client computer. Cookies are an extension of HTTP protocol that were created to identify users.

If your session cookies become available to a trespasser and the system has no additional parameters (e.g., IP address checking, verifying the session has only one connection), the trespasser will be able to access the system using the very same set of rights you do. If the hacker is able to get cookies from your personal account in a payment system or elsewhere, they will be able to get some of your money. In fact, you can be sure that they will do everything possible to fleece you of ALL your money.

How can I protect my website from broken authentication and session management?

To protect your web application from such attacks, count the number of active sessions and perform additional checking of IP addresses and user agents.

What is XSS (cross-site scripting)?

Cross-site scripting is also considered a user data validation error (just like an SQL injection). The primary difference is that the main target of the hacker is the user’s browser, and not the server. The hacker must use a web interface form to embed HTML or JavaScript code (sometimes, it may even be VBScript, ActiveX, Java or Flash) to the website. This code can be hidden in a comment or a message in the forum thread. The code will be activated later, when the user opens the infected page in their browser. Such attacks are also called HTML injections, because just as with SQL injections, they are implemented in the source code through the website’s web forms.

So why is cross-site scripting dangerous? Well, there are many different ways hackers can use this vulnerability:

The script may be used to send a user’s web cookies to the hacker. (We already know how the hacker can use them.)

The hacker may be able to get all the information entered by the user on the infected page (e.g., your credit card credentials).

The hacker is able to use JavaScript to substitute the original information on the page (e.g., credentials for a money transfer, causing the user to send their money to a different account).

How can I protect my website from XSS?

To protect your web application from cross-site-scripting, in the majority of cases, you just need to follow a single rule: Check all the entered information to find HTML tags and javascript/Java/VBScript/ActiveX/Flash code.

What else can I do to reduce the risk of a cyberattack?

In many cases, important stages of software development such as security testing are removed from a project’s workflow in an effort to save precious time and finish everything on deadline. While such short-term benefits may appear attractive at first sight, they’re not worth it — because such an approach will inevitably affect the safety of the application and, even more importantly, the safety of its users.

Every business or software development company that wants to create a secure, safe product must understand that cybersecurity, safety, and web app development basics should be firmly in the hands of specialists and experts who work on products’ technical sides. This mainly affects the QA team, which is the last outpost of the security checking process.

Seriously, how big is this problem? And can we beat it?

Every single day, one and a half million users become victims of cyber attacks. The aggregate damages of cyberattacks have already reached $110B per year. That’s nearly equal to the annual income of the United Arab Emirates, one of the richest countries in the world.

As this article has made clear, fighting cybercrime involves increased awareness, diligence, and follow-through in many areas. Along with the rest of my colleagues at Distillery, I want to do all I can to help businesses and individuals gain the knowledge needed to improve their cybersecurity and avoid unnecessary hacker attacks on their websites. While following the guidance outlined above is a solid start, it’s important to stay up to date on new developments in cybercrime. Don’t let cybercriminals take away what’s important to you. Instead, stay safe, keep your money, and safeguard your reputation from undue harm.

Want to learn more about how Distillery’s developers and QA engineers ensure the safety and security of our clients’ web and mobile apps and websites? Let us know!

About the Author

QA Engineer Sergey Rasputniy has been with Distillery since 2017. Prior to joining Distillery, Sergey spent three years testing software for avionics. A huge fan of traveling, he especially loves adventuring in countries known for their delicious cuisine and stunning architecture. Once, Sergey so wanted to start his explorations in the Philippines that he forgot his passport at the arrival terminal in Manila, heading straight into town.